Good morning Richard,

I install your changes but after I set-up Ip access-group 100 in to int vlan 60 I can not ping 192.168.0.99 and 192.168.0.120 any more.

Also port forwarding is not working.

Also question why you use network 192.168.50.0 in configuration of access-list 100.

Thank you for your support in advance!

Ok, can you connect to port 88 and 3389 ? you  have to  allow ICMP in access-list 100 if you want to ping the servers

add the lines 

access-list 100 permit icmp  host 192.168.0.120 any

access-list 100 permit icmp host 192.168.0.99 any

Any other traffic you want to allow you would have to add to the  access-list.

why you use network 192.168.50.0 in configuration of access-list 100. the 192.168.50.0 network one of your inside subnets according to your configuration

Hello,

I can not connect on ports 88, 3389, 81 from outside, but I can connect from inside.

When checking if ports are open using http://portchecker.co/ I see that port 88 is open and 3389 as well but 81 is closed.

Icmp now is working.

Do you know what could be a problem that I can not connect with my servers ?

Any Ideas ? I will appreciate for any solution solving my problem.

One more thing internet access outside from 192.168.0.99 and 192.168.0.120 also is not possible.

Any solution please ?

Please remove ACL from the vlan interface and let me know what works.

Internet access from your servers could be the ACL,at the moment not allowing access to Internet on ports 80 and 443 AS I said before when using ACLs need to know what traffic is allowed and also which has to be blocked.

Hello,

the situation is as follows, when I remove ACL 100 from vlan 60 I have access to Internet on the 192.168.0.99 and 192.168.0.120, but  when I apply ACL 100 in vlan 60 there is no Internet access at all.

But what I found out I have now open ports 88 and 3389, but 81 is still closed.

I have ip nat inside source static tcp 192.168.0.120 37777 interface GigabitEthernet0/0 81 and ACL 100 configuration as you wrote.

I can not understand here why 88 and 3389 is open but 81 is still closed.

ok so you need access to 192.168.0.120 TCP  port 37777 from the Internet( outside)

. it is TCP not UDP?

the way I read your original post you only needed access to that from inside.

Do you have an Internet proxy at all? makes it easier to configure the ACL

I see from your NAT statement Internet users going to port 81 connect to the server on port 37777 so port 81 doesn't need to be open on the server

so the access-list will look more like this: assuming only going to port 80 and 443 on internet plus access to DNS on Internet.

access-list 100 permit tcp host 192.168.0.99 eq 88 any

 access-list 100 permit tcp host 192.168.0.99 eq 3389 any

access-list 100 permit tcp host 192.168.0.120 eq 37777 any

access-list 100 permit icmp  host 192.168.0.120 any

access-list 100 permit icmp host 192.168.0.99 any

access-list 100 permit tcp host 192.168.0.120 any eq 80

access-list 100 permit tcp host 192.168.0.99 any eq 80

access-list 100 permit tcp host 192.168.0.120 any eq 443

access-list 100 permit tcp host 192.168.0.99 any eq 443

access-list 100 permit udp host 192.168.0.120 any eq 53

access-list 100 permit udp host 192.168.0.99 any eq 53

Any one who can check for me below config file ?

Good morning,

thank you for last advices but still I can not get it working.

The situation now is that I have opened ports 80, 88 and 3389 but I do not have Internet access from 192.168.0.99 and 192.168.0.200 and DHCP server also is not setting up IP for Server1 (192.168.0.99) and Server2 (192.168.0.200) I have to remove ip access-group 100 in from vlan 60 then DHCP works.

I find out that maybe all Internet access and port forwarding is blocked also by Firewall configuration (please take a look) - this is generated by Wizard from Cisco Professional Configuration app

For example here but my knowledge about this is nearly zero due to the fact I coming from systems CISCO IOS is for me a new that's why I kindly ask You guys to help me with solving this configuration.

Part of configuration of firewall:

class-map type inspect match-all sdm-nat-user-protocol--2-1
 match access-group 103
 match protocol user-protocol--2
class-map type inspect match-all sdm-nat-http-1
 match access-group 102
 match protocol http
class-map type inspect match-all sdm-nat-user-protocol--1-1
 match access-group 102
class-map type inspect match-any SDM_DHCP_CLIENT_PT
 match class-map SDM_BOOTPC
class-map type inspect match-all sdm-nat-kerberos-1
 match access-group 103
 match protocol kerberos

Configuration from the router:

!
! No configuration change since last restart
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ROUTER1
!
boot-start-marker
boot-end-marker
!
!
no logging buffered
enable secret
enable password
!
no aaa new-model
!
clock timezone PCTime 1 0
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 192.168.1.10 192.168.1.30
ip dhcp excluded-address 192.168.50.1
ip dhcp excluded-address 192.168.1.20
ip dhcp excluded-address 192.168.0.1
!
ip dhcp pool $DHCP_1$
 network 192.168.50.0 255.255.255.0
 default-router 192.168.50.1
 dns-server 1.1.1.1 2.2.2.2
 domain-name iowservice.com
 lease infinite
!
ip dhcp pool $DHCP_2$
 host 192.168.0.99 255.255.255.0
 client-identifier xxxxxxxx
 default-router 192.168.0.1
 dns-server 1.1.1.1 2.2.2.2
 lease infinite
!
ip dhcp pool $DHCP_3$
 host 192.168.0.120 255.255.255.0
 client-identifier xxxxxxx
 default-router 192.168.0.1
 dns-server 1.1.1.1 2.2.2.2
 lease infinite
!
!
ip domain name iowservice.com
ip name-server 1.1.1.1
ip name-server 2.2.2.2
ip port-map user-protocol--2 port tcp 3389
!
multilink bundle-name authenticated
!
parameter-map type regex ccp-regex-nonascii
 pattern [^\x00-\x80]

crypto pki token default removal timeout 0

!
!
crypto pki certificate

        quit
license udi pid
!
!
username
username
!
redundancy
!
!
!
!
no ip ftp passive
!
class-map type inspect match-any SDM_BOOTPC
 match access-group name SDM_BOOTPC
class-map type inspect match-all sdm-nat-user-protocol--2-1
 match access-group 103
 match protocol user-protocol--2
class-map type inspect match-all sdm-nat-http-1
 match access-group 102
 match protocol http
class-map type inspect match-all sdm-nat-user-protocol--1-1
 match access-group 102
class-map type inspect match-any SDM_DHCP_CLIENT_PT
 match class-map SDM_BOOTPC
class-map type inspect match-all sdm-nat-kerberos-1
 match access-group 103
 match protocol kerberos
class-map type inspect match-all SDM_GRE
 match access-group name SDM_GRE
class-map type inspect match-any CCP_PPTP
 match class-map SDM_GRE
class-map type inspect match-any multimedia
 match protocol appleqtc
 match protocol netshow
 match protocol realmedia
 match protocol rtsp
 match protocol streamworks
 match protocol vdolive
class-map type inspect match-any ccp-skinny-inspect
 match protocol skinny
class-map type inspect match-any sdm-cls-bootps
 match protocol bootps
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol dns
 match protocol ftp
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map match-any CCP-Transactional-1
 match  dscp af21
 match  dscp af22
 match  dscp af23
class-map type inspect match-any ccp-h323nxg-inspect
 match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map match-any CCP-Voice-1
 match  dscp ef
class-map type inspect match-any ccp-h225ras-inspect
 match protocol h225ras
class-map match-any CCP-Routing-1
 match  dscp cs6
class-map match-any CCP-Signaling-1
 match  dscp cs3
 match  dscp af31
class-map type inspect match-any ccp-h323annexe-inspect
 match protocol h323-annexe
class-map match-any CCP-Management-1
 match  dscp cs2
class-map type inspect match-any ccp-h323-inspect
 match protocol h323
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
 match access-group 100
class-map type inspect match-any ccp-sip-inspect
 match protocol sip
class-map type inspect match-all ccp-protocol-http
 match protocol http
!
!
policy-map CCP-QoS-Policy-1
 class CCP-Voice-1
  priority percent 33
 class CCP-Signaling-1
  bandwidth percent 5
 class CCP-Routing-1
  bandwidth percent 5
 class CCP-Management-1
  bandwidth percent 5
 class CCP-Transactional-1
  bandwidth percent 5
 class class-default
  fair-queue
  random-detect
policy-map type inspect ccp-permit-icmpreply
 class type inspect ccp-icmp-access
  inspect
 class class-default
  pass
policy-map sdm-qos-test-123
 class class-default
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log
 class type inspect ccp-protocol-http
  inspect
 class type inspect ccp-insp-traffic
  inspect
 class type inspect ccp-sip-inspect
  inspect
 class type inspect ccp-h323-inspect
  inspect
 class type inspect ccp-h323annexe-inspect
  inspect
 class type inspect ccp-h225ras-inspect
  inspect
 class type inspect ccp-h323nxg-inspect
  inspect
 class type inspect ccp-skinny-inspect
  inspect
 class class-default
  drop
policy-map type inspect ccp-permit
 class class-default
  drop
policy-map type inspect ccp-pol-outToIn
 class type inspect CCP_PPTP
  pass
 class type inspect sdm-nat-user-protocol--1-1
  inspect
 class type inspect sdm-nat-kerberos-1
  inspect
 class type inspect sdm-nat-user-protocol--2-1
  inspect
 class type inspect sdm-nat-http-1
  inspect
 class class-default
  drop log
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit
zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
 service-policy type inspect ccp-pol-outToIn
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description $FW_OUTSIDE$
 ip address 10.10.10.11 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
 zone-member security out-zone
 duplex auto
 speed auto
 service-policy output CCP-QoS-Policy-1
!
interface GigabitEthernet0/1
 description $FW_INSIDE$
 ip address 192.168.1.10 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security in-zone
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/1.2
 description $FW_INSIDE$
 encapsulation dot1Q 2
 ip address 192.168.2.250 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security in-zone
!
interface GigabitEthernet0/1.3
 description $FW_INSIDE$
 encapsulation dot1Q 3
 ip address 192.168.3.250 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security in-zone
!
interface GigabitEthernet0/1.4
 description $FW_INSIDE$
 encapsulation dot1Q 4
 ip address 192.168.4.250 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security in-zone
!
interface GigabitEthernet0/1.5
 description $FW_INSIDE$
 encapsulation dot1Q 5
 ip address 192.168.5.250 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security in-zone
!
interface GigabitEthernet0/1.6
 description $FW_INSIDE$
 encapsulation dot1Q 6
 ip address 192.168.6.250 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security in-zone
!
interface GigabitEthernet0/1.7
 description $FW_INSIDE$
 encapsulation dot1Q 7
 ip address 192.168.7.250 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security in-zone
!
interface GigabitEthernet0/1.8
 description $FW_INSIDE$
 encapsulation dot1Q 8
 ip address 192.168.8.250 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security in-zone
!
interface GigabitEthernet0/1.9
 description $FW_INSIDE$
 encapsulation dot1Q 9
 ip address 192.168.9.250 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security in-zone
!
interface GigabitEthernet0/1.10
 description $FW_INSIDE$
 encapsulation dot1Q 10
 ip address 192.168.10.250 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security in-zone
!
interface GigabitEthernet0/1.11
 description $FW_INSIDE$
 encapsulation dot1Q 11
 ip address 192.168.11.250 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security in-zone
!
interface GigabitEthernet0/1.12
 description $FW_INSIDE$
 encapsulation dot1Q 12
 ip address 192.168.12.250 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security in-zone
!
interface GigabitEthernet0/0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0/1/0
 no ip address
!
interface GigabitEthernet0/1/1
 no ip address
!
interface GigabitEthernet0/1/2
 no ip address
!
interface GigabitEthernet0/1/3
 no ip address
!
interface GigabitEthernet0/1/4
 no ip address
!
interface GigabitEthernet0/1/5
 switchport access vlan 60
 no ip address
!
interface GigabitEthernet0/1/6
 switchport access vlan 60
 no ip address
!
interface GigabitEthernet0/1/7
 switchport access vlan 50
 no ip address
!
interface Vlan1
 no ip address
!
interface Vlan50
 description $FW_INSIDE$
 ip address 192.168.50.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security in-zone
!
interface Vlan60
 description $FW_INSIDE$
 ip address 192.168.0.1 255.255.255.0
 ip access-group 100 in
 ip nat inside
 ip virtual-reassembly in
 zone-member security in-zone
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat inside source list 2 interface GigabitEthernet0/0 overload
ip nat inside source list 3 interface GigabitEthernet0/0 overload
ip nat inside source list 4 interface GigabitEthernet0/0 overload
ip nat inside source list 5 interface GigabitEthernet0/0 overload
ip nat inside source list 6 interface GigabitEthernet0/0 overload
ip nat inside source list 7 interface GigabitEthernet0/0 overload
ip nat inside source list 8 interface GigabitEthernet0/0 overload
ip nat inside source list 9 interface GigabitEthernet0/0 overload
ip nat inside source list 10 interface GigabitEthernet0/0 overload
ip nat inside source list 11 interface GigabitEthernet0/0 overload
ip nat inside source list 12 interface GigabitEthernet0/0 overload
ip nat inside source list 50 interface GigabitEthernet0/0 overload
ip nat inside source list 60 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.0.120 80 10.10.10.10 80 extendable
ip nat inside source static tcp 192.168.0.99 88 10.10.10.10 88 extendable
ip nat inside source static tcp 192.168.0.99 3389 10.10.10.10 3389 extendable
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 10.10.10.10
!
ip access-list extended SDM_BOOTPC
 remark CCP_ACL Category=0
 permit udp any any eq bootpc
ip access-list extended SDM_GRE
 remark CCP_ACL Category=1
 permit gre any any
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark CCP_ACL Category=2
access-list 2 permit 192.168.2.0 0.0.0.255
access-list 3 remark CCP_ACL Category=2
access-list 3 permit 192.168.3.0 0.0.0.255
access-list 4 remark CCP_ACL Category=2
access-list 4 permit 192.168.4.0 0.0.0.255
access-list 5 remark CCP_ACL Category=2
access-list 5 permit 192.168.5.0 0.0.0.255
access-list 6 remark CCP_ACL Category=2
access-list 6 permit 192.168.6.0 0.0.0.255
access-list 7 remark CCP_ACL Category=2
access-list 7 permit 192.168.7.0 0.0.0.255
access-list 8 remark CCP_ACL Category=2
access-list 8 permit 192.168.8.0 0.0.0.255
access-list 9 remark CCP_ACL Category=2
access-list 9 permit 192.168.9.0 0.0.0.255
access-list 10 remark CCP_ACL Category=2
access-list 10 permit 192.168.10.0 0.0.0.255
access-list 11 remark CCP_ACL Category=2
access-list 11 permit 192.168.11.0 0.0.0.255
access-list 12 remark CCP_ACL Category=2
access-list 12 permit 192.168.12.0 0.0.0.255
access-list 50 remark CCP_ACL Category=2
access-list 50 permit 192.168.50.0 0.0.0.255
access-list 100 remark CCP_ACL Category=1
access-list 100 permit ip host 192.168.0.99 host 192.168.0.1
access-list 100 permit ip host 192.168.0.120 host 192.168.0.1
access-list 100 permit tcp host 192.168.0.99 eq 88 any
access-list 100 permit tcp host 192.168.0.99 eq 3389 any
access-list 100 permit tcp host 192.168.0.120 eq www any
access-list 100 permit icmp host 192.168.0.99 any
access-list 100 permit icmp host 192.168.0.120 any
access-list 100 permit tcp host 192.168.0.120 any eq www
access-list 100 permit tcp host 192.168.0.99 any eq www
access-list 100 permit tcp host 192.168.0.120 any eq pop3
access-list 100 permit tcp host 192.168.0.99 any eq pop3
access-list 100 permit tcp host 192.168.0.120 any eq smtp
access-list 100 permit tcp host 192.168.0.99 any eq smtp
access-list 100 permit tcp host 192.168.0.120 any eq 443
access-list 100 permit tcp host 192.168.0.99 any eq 443
access-list 100 permit tcp host 192.168.0.120 any eq domain
access-list 100 permit tcp host 192.168.0.99 any eq domain
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 62.87.208.120 0.0.0.3 any
access-list 101 remark CCP_ACL Category=1
access-list 101 permit ip any any
access-list 102 permit ip any host 192.168.0.120
access-list 102 remark CCP_ACL Category=0
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 192.168.0.99
dialer-list 1 protocol ip permit
!
!
!
!
!
!
control-plane
!
!
banner login ^  ^C
!
line con 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 password
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
end

Hi,

so if we forget about the ACL on Vlan 60, DHCP works, but you still do not get Internet access? is that correct.

Hello Richard,

Yes correct. I remove from vlan 60 access-group 100. Now I have DHCP but No Internet access and ports 80, 88, 3389 are open.

My feeling is that firewall settings are also blocking connection with Internet from 192.168.0.99 and 192.168.0.120.

Thanks for any help!

Regards,

Gregor